httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 44858] New: Systematic SSL session renegociation, client cert, Firefox >= 2.0.13
Date Wed, 23 Apr 2008 13:26:41 GMT

           Summary: Systematic SSL session renegociation, client cert,
                    Firefox >= 2.0.13
           Product: Apache httpd-2
           Version: 2.2.8
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl

Not quite sure if it's a bug or one hell of a feature :-)

There are two "zones" on our SSL-ized server :

SSLPassPhraseDialog     builtin
SSLSessionCache         "shm:/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex                "file:/apache/logs/ssl_mutex"

<VirtualHost _default_:443>
# The regular, simple SSL server

DocumentRoot "/apache/htdocs"

SSLEngine on
SSLCertificateFile    "/apache/conf/ssl/server.crt"
SSLCertificateKeyFile "/apache/conf/ssl/server.key"
SSLCACertificateFile  "/apache/conf/ssl/ca.crt"

Alias /manual /apache/manual

# And a sub-tree with Client Cert verification
<Directory "/apache/manual">
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all

    SSLVerifyClient require
    SSLVerifyDepth 1

Since Firefox 2.0.13, the default config of the browser regarding client
certificates is "Ask everytime" (that's because of

And that's where we get badly hit. When requesting server:443/manual/something,
we ALWAYS get an SSL renegociation :

[info] Initial (No.1) HTTPS request received for child 2 (server
[debug] ssl_engine_kernel.c(426): Changed client verification (0 to 3) type
will force renegotiation
[info] Requesting connection re-negotiation

The "(0 to 3)" in the second message means "verify_old is 0 (NONE), verify is 3
(PEER_STRICT)", probably because when URL-parsing we went from / (no client
cert verification) to /manual (SSLVerifyClient Require). That's just a guess.

The end result is that, for every request (except keepalive), the browser asks
"Which client certificate do you want to use ?", making the user-experience
quite hellish.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message